vulnerability in gulp 4.0.2

[jdneo]

The minimist needs to upgrade to >= 1.2.2

├─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ └─┬ [email protected]
│ └── [email protected]

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598

[tschallacka]

Related: isaacs/node-mkdirp#11

related: dominictarr/rc#114

[gregg-cbs]

and kind-of is causing a ton of audit fails.

Path

gulp > gulp-cli > matchdep > micromatch > extglob > define-property > is-descriptor > kind-of   

[yocontra]

Once mkdirp updates, the dependency will be pulled in automatically since we use semver - there isn't really anything actionable for us to do about this. Run npm update after the relevant packages fix themselves.

FWIW these npm audit warnings have no attack vector and I have always had an issue with how NPM/Snyk reports these "vulnerabilities". We get reports for these all the time and 0 of them have ever had any real exploitability. I used to be a pentester for a living + have published a handful of CVEs so I take the security of my packages extremely seriously.

[phated]

Your npm audit gives no context and you probably need to look at using a better tool. Like contra said, these don't effect us. In fact, minimist would only be used if you were directly running those dependencies as a command line tool, which you aren't when you are using gulp.